Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure web tier in order to meet cloud security and compliance requirements. This conformity rule assumes that all the Azure cloud resources available in your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the tag set defined for your Azure web tier must be configured within the rule settings, on the Cloud Conformity dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
When you use your own Azure Key Vault Customer-Managed Key to protect the data within your cloud web tier, you gain full control over who can use this key to access the web data, implementing the principle of least privilege on the encryption key ownership and usage. Cloud Conformity strongly recommends creating and configuring at least one Customer-Managed Key (CMK)/Bring Your Own Key (BYOK) for your Azure cloud web tier
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in this conformity rule with your own tag name and value created for the web tier.
Audit
To determine if a web-tier Key Vault Customer Master Key exists in your Microsoft Azure cloud account, perform the following actions:
Remediation / Resolution
To create and configure a dedicated Customer-Managed Key (CMK) for the Azure cloud resources provisioned within your web tier, perform the following actions:
References
- Azure Official Documentation
- About Azure Key Vault
- About keys, secrets, and certificates
- Bring your own key (BYOK) details for Azure Information Protection
- Azure Command Line Interface (CLI) Documentation
- az keyvault list
- az keyvault key list
- az keyvault key show
- az keyvault key create